Alex - stock.adobe.com
DDoS mitigation: How to stop DDoS attacks
A DDoS attack can wreak havoc on an organization, but a number of strategies can help stop such attacks and minimize their damage.
By the time a distributed denial-of-service attack has been identified, an organization's online services will already be crumbling. At this point, it is key to minimize the damage and downtime.
Proper network security measures are key to keeping DDoS attackers at bay, but attackers will inevitably bypass defensive strategies. If under attack, organizations should take the following steps to stop the attack and mitigate its effects.
Identify the type of DDoS attack
The following are the three types of DDoS attacks:
- Volume-based, in which attackers flood the network with requests.
- Protocol-based, in which attackers target Layer 3 or Layer 4 of the Open Systems Interconnection model. These include User Datagram Protocol reflection attacks, ping of death attacks, ACK flood attacks, TCP SYN flood attacks, Internet Control Message Protocol flood attacks, Fraggle attacks and Smurf attacks.
- Application layer-based, in which attackers target Layer 7. These include DNS query floods and DNS amplification attacks, HTTP floods and fragmentation attacks.
Knowing which attack the organization is up against dictates which mitigation steps to take.
Rate limiting and IP blocklisting
Combating Layer 3 attacks involves rate limiting and IP blocklisting. If logs show the IP addresses that are generating the DDoS traffic, block them. Note, however, that attackers can easily spoof IP addresses to bypass this line of defense.
Geoblocking can likewise block bots and large botnets operating from countries that do not usually visit the website, but an attack can easily shift to a different botnet.
The downside of these approaches is that legitimate internet traffic is also blocked from the blocklisted regions.
Black hole routing
Layer 4 attacks usually require black hole routing, which is when malicious traffic is routed into a black hole -- a virtual void where malicious packets can be dropped or discarded.
Deep packet inspection
Layer 7 attacks are commonly launched by botnets that randomize and constantly modify requests so they look like legitimate user traffic. Prevention is key in these types of DDoS attacks. Deep packet inspection helps block malicious traffic from getting through.
Go offline
Taking a system offline is an extreme defensive option that is only viable when an attack is targeting a specific resource. For example, if an HTTP flood attack inundates servers with requests for large image or document files, admins can temporarily disable links to that resource but leave the rest of the website operating as normal. Once the service or resource has been isolated, harden it against further malware attacks, and bring it back online.
It's important to keep a log of any changes made to a network device or cybersecurity control during an attack to ensure the system can return to normal once the attack ends.
DDoS detection tools
Although DDoS detection tools might provide some mitigation features and buy an organization time to implement other defensive measures, they are temporary fixes that attackers can circumvent or overwhelm. Moreover, these tools require a level of in-house expertise. Changing configurations in response to an initial attack wave might stop similar probes, but attackers will quickly modify their methods. This forces IT teams to constantly alter configurations, while simultaneously trying to restore downed services. The sheer scale of many DDoS attacks requires additional measures to ensure services remain accessible as organizations face network bandwidth constraints that limit the ability of security hardware to stop network layer attacks.
DDoS services
Many vendors, including Cloudflare, Imperva and Akamai, offer DDoS mitigation services. These providers can handle and analyze incoming traffic quickly and efficiently and then intelligently route it to prevent any service interruptions.
DDoS protection services are offered on-demand -- activated only when a DDoS threat is detected -- or always-on, where all traffic is routed through a cloud scrubbing center and analyzed and filtered before clean traffic is delivered to the network. Cloud scrubbing introduces minor latency but is best for mission-critical applications.
ISP protection
Truly scalable DDoS protection is only possible upstream, from the organization's ISP, content delivery network (CDN) and DDoS mitigation providers. Typically, ISPs offer only network layer protection, but it's still important to provide providers with as much information as possible -- such as protocols used and the source of IP addresses -- so they can block traffic before it reaches the affected network perimeter.
A DDoS attack is often used as a decoy to distract security teams, enabling system infiltration or data exfiltration activities to escape notice -- a practice known as smokescreening. Smokescreen use means incidence response teams need to also investigate logs for evidence of other events that might be taking place during or after the DDoS attack.
Keep communications open
During a DDoS attack, it's important to keep executives, employees, customers and partners up to date. Social media platforms -- unaffected by the attack -- are an effective way to reach out.
Attack follow-up: Implement DDoS prevention measures
If an organization is already hit with a DDoS attack, it's too late to deploy DDoS prevention measures. It is crucial, however, to adopt the following best practices to prevent DDoS attacks in the future:
- Create a DDoS attack response plan.
- Conduct continuous monitoring.
- Follow patch management best practices.
- Reduce the attack surface.
- Scale network bandwidth and server capacity.
- Implement rate limiting.
- Use a CDN, load balancing and access control lists.
- Deploy a web application firewall.
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.
